[Samba] idmap config ad: can't resolve domain users' uids
Rowland Penny
rpenny at samba.org
Fri Feb 16 14:14:11 UTC 2018
On Fri, 16 Feb 2018 14:26:57 +0100
Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> Il 16/02/18 13:43, Rowland Penny via samba ha scritto:
> > On Fri, 16 Feb 2018 13:10:16 +0100
> > Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> >
> >>
> >> So just to recap: there were two problems:
> >>
> >> 1) the syntax mistake in smb.conf pointed up before;
> >
> > This wouldn't have helped.
> >
> >> 2) a logical mistake because wbinfo can't possibily work without
> >> the full setup that includes the nss part.
> >
> > No, wbinfo will work without the libnss_winbind links, but the OS
> > will not know who the AD users & groups are without the links.
>
> Rowland, you are helping me a lot.
>
> Let me make a step backwards.
>
> The problem is bugging me is to allow Domain Users to access samba
> shares (on a linux os) and to create file with the same uidNumber I
> have put in the AD directory.
>
> Domanin Users have been exported from a samba3-ldap domain.
>
> In a samba3-ldap domain the trick to have files with the same
> ownership [1] was to record the uidNumber data in the OpenLDAP.
>
> How does it work in samba4? I started with
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and then I
> have been populating the users' uidNumber ad attribute and the groups'
> gidNumber.
Lets see if I can explain it for you ;-)
If you use a DC as a fileserver (by the way, lots of people do not
recommend doing this), by default users & groups are assigned
xidNumber attributes in the '3000000' range. These 'xidNumbers' are
stored in 'idmap.ldb'
You can override these 'xidNumber' attributes by giving your users a
unique 'uidNumber' and groups a 'gidNumber'.
If you want the OS to know who the users and groups are, you will need
something to extract the data from either 'idmap.ldb' or AD, Samba
uses the libnss_winbind links, other methods are available.
See here for how to set up the links:
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
And here:
https://wiki.samba.org/index.php/Libnss_winbind_Links
Rowland
More information about the samba
mailing list